Posted June 2, 20231 yr comment_21 Today we’ll learn How to enable or Disable SHA1 system-wide cryptographic policy and why we’re disabling SHA-1? because SHA-1 hash function has an inherently weak design, and advancing cryptanalysis has made it vulnerable to attacks, Centos/RHEL 8 and Centos/RHEL 9 does not use SHA-1 by default. Nevertheless, some third-party applications, for example, public signatures, still use SHA-1. To disable the use of SHA-1 in signature algorithms on your system, you can use the NO-SHA1 policy module. DISABLE SHA-1 : update-crypto-policies --set DEFAULT:NO-SHA1 And reboot the system to apply it systemwide. ENABLE SHA-1 : In the internet there are thousands or lakhs of devices still uses SHA-1 Algorithm Like older OS for example Centos 6 peoples are still using it due to very light in resources and there old applications are still running there. From This old OS if you’re trying to connect to a modern OS like EL9/centos 9 for example with SSH you’ll get error like below : no hostkey alg If you check the error massage in modern OS it will show like below : Quote Unable to negotiate with 1.1.1.1 port 43614: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth] ** this is happening because the latest version of openssh has dropped the support for SHA1. To fix this you need to enable SHA-1 algorithm in your modern OS for example in EL9/Centos 9 : Run the below command to enable SHA-1 update-crypto-policies --set DEFAULT:SHA1 That’s it you’ve enabled System-wide crypto policy to enable SHA1 a system reboot will also recommended after enabling SHA1
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now